堆栈内存溢出
  简体   繁体   English

Codeigniter控制器:具有私有功能的POST还是具有公共功能的无POST?

[英]Codeigniter controllers: POST with private functions or no-POST with public functions?

 原文  2011-08-31 13:18:35       php/ codeigniter/ frameworks

问题描述

With security in mind is it best to (for codeigniter apps): 考虑到安全性,最好(对于Codeigniter应用程序):

  1. Have a controller that checks for POST input and then delegate to private functions. 有一个控制器检查POST输入,然后委派给私有功能。

OR 要么

  1. Have a controller with a bunch of public functions. 有一个具有一系列公共功能的控制器。

My consideration here is if we allow the users to see the URL, they can just use that URL again to do some action. 我在这里的考虑是,如果我们允许用户看到URL,则他们可以再次使用该URL来执行某些操作。 But if we stick with the POST-delegation method, not everyone will be able to customize their own POST info and try to game the system. 但是,如果我们坚持使用POST授权方法,那么并不是每个人都可以自定义自己的POST信息并尝试对系统进行游戏。

But is this really a concern of significance?? 但这真的是一个重要的问题吗? Are there any best practices for this type of concern? 是否有针对此类问题的最佳实践?

Notes: I use a lot of AJAX on the app as well. 注意:我也在应用程序上使用了很多AJAX。

2 个解决方案

解决方案1
 0 已采纳  2011-08-31 16:11:15

Just my personal opinion but I would go with your first option, use POST with private functions. 只是我个人的看法,但我会选择您的第一选择,将POST与私有功能结合使用。

I like to keep my Controllers locked down, they are independent and private and are in fact in control ! 我喜欢让我的控制器保持锁定状态,它们是独立和私有的,实际上处于控制之中 They can instantiate the other 'service' classes (eg Models and Views), call the public methods in the Models and then push the data in to the Views public vars. 他们可以实例化其他“服务”类(例如,模型和视图),在模型中调用公共方法,然后数据送到视图公共变量中。

In my eyes it's like this: 在我眼里是这样的:

  • Controller classes are independent (perhaps extending a common base class, but the same could easily be achieved with static methods), they have private methods! 控制器类是独立的(也许扩展了公共基类,但是使用静态方法很容易实现),它们具有私有方法!
  • Model classes are also largely independent but with, of course, public functions to retrieve and process data! 模型类在很大程度上也是独立的,但是当然具有公共功能来检索和处理数据!
  • View classes are where you'll get your public methods to render data to the page etc. 视图类是获取公共方法以将数据呈现到页面等的地方。


Just a thought on your AJAX too: I use a custom handler class to serve as a controller and abstraction layer for all AJAX requests. 还要考虑一下您的AJAX:我使用自定义处理程序类充当所有AJAX请求的控制器和抽象层。 This way you can maintain tighter security over your AJAX access and data! 这样,您可以在AJAX访问和数据上保持更严格的安全性!

hth hth

解决方案2
 0  2011-08-31 22:29:54

My 2p: Enable CSRF protection (which is present in CI 2.0.3) should go some way to satisfy your security considerations about having "any old data" being POSTed to your controllers. 我的2p:启用CSRF保护(在CI 2.0.3中存在)应该以某种方式满足您对将“任何旧数据”发布到控制器的安全考虑。

http://codeigniter.com/user_guide/libraries/security.html (at the end). http://codeigniter.com/user_guide/libraries/security.html (最后)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP / CodeIgniter中的GET和POST函数 - GET and POST functions in PHP / CodeIgniter CodeIgniter控制器功能不起作用 - CodeIgniter Controllers functions is not working 如何在codeigniter的两个函数中使用post方法 - how to use post method in two functions in codeigniter 公共函数与CodeIgniter中的函数 - Public functions vs Functions in CodeIgniter CodeIgniter 发布函数在开发服务器上返回 404 - CodeIgniter post functions return 404 on dev server CodeIgniter-私有功能访问? - CodeIgniter - Private Functions Access? 公共/私人变量和功能的重点是什么? - The point of public/private variables and functions? CodeIgniter中的Wordpress函数? (控制器,模型和视图) - Wordpress Functions in CodeIgniter? (Controllers, Models and Views) PHP:函数中的 $_GET 和 $_POST? - PHP: $_GET and $_POST in functions? 功能中的WordPress帖子标题 - Wordpress post title in functions
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM